begin quoting Andrew Lentvorski as of Wed, Oct 04, 2006 at 08:44:21PM -0700: > Stewart Stremler wrote: > > >I agree that it's not _theft_ that's the issue. It's _disclosure_. > >Losing track of sensitive information is a big deal, and if it isn't, > >it damn well ought to be, and we need to crank up the penalties until > >it is taken seriously. > > Maybe this is the problem I'm having getting across. To me, theft is a > proxy for disclosure. I don't care about protecting the data from a > thief who is going to pawn my laptop. I care about protecting my data > from someone trying to damage my company.
In California, potential disclosure of sensitive data means you, the business, have to inform all of the people who's data you failed to adequately protect, yes? And that ought to count as "damage". John seems to be arguing that the liklihood of someone *targeting* your company is small; I think it's just a special case of "disclosure that can result in damage". > >>USB key in an offsite safe deposit box. This really isn't that hard. > >>Key management is not that easy, either. For a very small small shop, or > >>a home user, it is that easy. For a larger company, it gets harder. Who > >>can access that safety deposit box? What if that person is not avalable? > >>Or that person? What credentials are required? > > > >Who has access to those tapes? What if that person is not available? > >What credentials are required to access that information? > > You can claim these are difficult issues, but they are no different from > other business issues. They are no different from "Who can sign > checks?" if the entire executive staff is killed. Um.... huh? Is "you" here meant to be John or me? -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
